September 2013 - Posts

According to arstechnica.com, the US government spends $11 billion and dedicates 35,000 people each year to a program "dedicated to encryption," which includes cracking encryption. Most people would view this as a bad thing. There are issues like the right to privacy and whatnot. But the way I see it, this is actually good news for users of laptop encryption software like AlertBoot.

Encryption: Proof that It Works

Eleven billion dollars is not small potatoes. Let's assume that 0.1% of it is dedicated towards cracking encryption. That means that $11 million is being used each year on cracking encryption alone (personally, I find the number to be too low. It's probably much, much higher).

What this means to the average computer user is that, if they are looking to protect their data, tools like disk encryption (say, the AES-256 encryption from AlertBoot) are more than enough to secure their data. If you're trying to hide something from the government, maybe you won't be successful, as in this case. But, if you're working in a hospital and are looking to ensure that patient files remain confidential, or you're a lawyer and you want to ensure that your client data remains under wraps, encryption is an easy, effective, and cheap way to do it.

This is why most US states with data breach laws on their books will offer safe harbor if encryption is used to protect sensitive data. The reasoning extends to US federal laws as well as EU legislation, and basically to any country in the world that has data security and data privacy laws.

Cryptocalypse?

Bad news always follows good news, however. According to the same arstechnica.com report,

some cryptographers are growing increasingly concerned that breakthroughs in discrete mathematics could soon spawn a so-called cryptopocalypse that could undermine the security of core encryption algorithms...since there's no mathematical proof that the theory isn't possible, there's no way to dismiss the possibility.

If this scenario does play out...well, it would be the end of the world as we know it. For one thing, encryption is what allows banking to occur. Not just online banking, but the flow of money from one bank to another, from a commercial bank to the federal reserve, international transfers, etc. Furthermore, the use of credit and debit cards requires encryption at some level.

In fact, encryption tends to affect our lives in some of the most unexpected ways. In a sense, they're kind of like those "Made in China" tags: look close enough and there it is.

Of course, most experts doubt that a Crytpocalypse is imminent. As a non-expert, here are my two cents on the issue: if "there's no mathematical proof that the theory isn't possible" is the main reason for pushing the argument, you're on the short side of the stick; it has something to do with trying to prove a negative, which is not impossible, but decidedly hard to do. Negative proofs that are not logical fallacies tend to be small in number, as I understand it.

A dental practice in Florissant (a suburb of St. Louis, Missouri) has revealed that a recent data breach could involve 10,000 people. The medical data breach was possible because patient data encryption software was not used to secure laptops that were stolen during a burglary.

Mostly Affected are Teenagers, Password Protection was Used

According to stltoday.com, an attorney that is representing the orthodontist's office has confirmed that "extensive investigation[s]" had to be performed to see who was affected by the burglary, although he did mention that "most of the patient were probably teenagers," which makes sense when you consider who generally gets orthodontic treatment (think: braces).

HIPAA rules do not discriminate based on age, however: since the computers were not protected with disk encryption software – but only with password-protection, which is easily "crackable" – Olson & White are forced to report the data breach not only to patients but the Department of Health and Human Services (HHS). In this case, because more than 500 are affected, the HHS has to be contacted immediately. Furthermore, certain other rules may apply, such as having to contact a media outlet to get the news out.

Why does the use of encryption software give a medical organization a way out from report a data breach? Legally, it's because the Breach Notification Rule (found under the HITECH amendments to HIPAA) offers safe harbor from reporting a medical data breach if encryption is used.

From a technical standpoint, it's because encryption offers one of the best ways of protecting digital information. The use of strong encryption software – like AES-256 – is considered to be unbreakable with modern computing tools. Testing by cryptologists, that continues today, has upheld this theory so far. Under the circumstances, chances are that PHI encryption can easily prevent data on stolen or lost laptops from falling into the wrong hands.

Why Do HIPAA Covered Medical Entities Forego Encryption?

Simply put, medical organizations will demur at the use of encryption because of cost. Not only financial cost – like actually paying for the encryption licenses – but also for other costs, such as opportunity costs. For example, if facing a tight budget, money diverted towards non-performing expenses like security software could mean having to give up on hiring a dental technician or the latest x-ray machine that could speed up consultations and treatment.

Furthermore, there is the added problem of hidden cost when deploying encryption: most encryption providers only list the cost of licenses (usually per machine or device to be protected, sometimes per user, regardless of how many devices are involved) but the encryption budget needs to cover things like central management servers, the software that is required to ensure such servers can to their job (the underlying operating system, for example), space for the server in a data center, etc. Hidden costs can also include the hours worked by an IT technician as well as any ongoing operational and maintenance costs.

Since data breaches may not affected a medical organization for an extended period of time, many myopically decide to forego encryption, possibly thinking that it won't happen to them, or promising that they'll do it "soon."

Of course, it doesn't have to be that way. AlertBoot FDE complies with HIPAA encryption requirements (namely, it's a FIPS 140-2, NIST validated solution) and states all costs upfront.